Good Day my friends, Yesterday I did my weekly scan using Zone Alarm Security Suite, it found some virus and killed it so quick I didn,t manage to see what it was, then on using Spybot Search & destroy it found a Trogen which it killed. This morning I was looking at my 'c'drive using explorer and noticed fsxveje.exe - mhdjq.exe - rudkbpt.exe - snfmx.exe and yvontfxw.exe all were created yesterday 9/9/06. I have done a search on the web but can't find any infomation on them, can someone tell me if they should be on my computer or are they connected with the scans I did yesterday if so what should I do. Thanks
They're not legit because names are random. Download HijackThis, extract file to folder on desktop. Run a scan and save a log file. Paste that log here.
Hiya Niobis thanks for replying so quick. Here is my log Logfile of HijackThis v1.99.1 Scan saved at 08:40:31, on 10/09/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\ZoneLabs\vsmon.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\ZoneLabs\isafe.exe C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE C:\WINDOWS\system32\rundll32.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe C:\WINDOWS\system32\LVComsX.exe C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE C:\Program Files\Mozilla Firefox\firefox.exe D:\Backup\DownLoads\HijackThis_v1.99.1(2).exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.blueyonder.co.uk/search/search.jsp R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.blueyonder.co.uk R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1 O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0H2.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB001" /M "Stylus Photo R200" O4 - HKLM\..\Run: [BCWipeTM Startup] "C:\Program Files\Jetico\BestCrypt\BCWipeTM.exe" startup O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32 O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~2\MSGRAP~1.DLL O20 - AppInit_DLLs: hplun.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: Bluetooth Service (btwdins) - Unknown owner - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing) O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Not showing in your log. Go here run ActiveScan. When it finishes, save the results and post them here.
Here it is Incident Status Location Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.mediaplex.com/] Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.fastclick.net/] Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.casalemedia.com/] Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.tribalfusion.com/] Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.atdmt.com/] Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt[.drivecleaner.com/] Virus:W32/Junkcomp.A Renamed C:\fsxveje.exe Adware:Adware/SpySheriff Not disinfected C:\mhdjq.exe Virus:Trj/Jupillites.G Disinfected C:\rudkbpt.exe Potentially unwanted tool:Application/Processor Not disinfected D:\Backup\Install Bak\Install\SmitfraudFix.zip[SmitfraudFix/Process.exe]
You may have caught this in good time. Go here and download KillBox. Then, go here to download Ewdio. Install and update. Note: you may want to print these instructions, you will be in safe mode. Restart your computer in safe mode. Open Killbox.exe. Check "Standard File Kill". In the "Full Path of File to Delete" box, copy and paste each of the following lines [bold]one at a time[/bold]. Then click the red X button after you enter each file. You will be prompted to confirm, click Yes. [bold]C:\fsxveje.exe C:\mhdjq.exe[/bold] If KillBox prompts file doens't exist, just continue. Close KillBox. Open Ewido and run a full scan. When it finishes, set all items to delete and click "Apply all actions". Then click "Save Report". Restart in normal mode. Post Ewido log and tell if KillBox deleted both files.
Ello Niobis I've done as requested here is the log ewido anti-spyware - Scan Report --------------------------------------------------------- + Created at: 12:21:45 9/10/2006 + Scan result: C:\!KillBox\mhdjq.exe -> Downloader.Small.ctf : Cleaned with backup (quarantined). :mozilla.28:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned. :mozilla.24:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.25:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.26:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned. :mozilla.22:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.23:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned. :mozilla.14:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned. :mozilla.21:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned. :mozilla.9:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Myaffiliateprogram : Cleaned. :mozilla.27:C:\Documents and Settings\Jimmy\Application Data\Mozilla\Firefox\Profiles\koojapkj.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned. ::Report end And KillBox found & deleted c:\mhdjq.exe but [bold]not[/bold] c:\fsxveje.exe
ActiveScan rennamed it. First, show hidden files. Open Control Panel > Open Folder Options > View tab > check Show Hidden Files and folders box. Look and search for fsxveje.exe, if found delete. If not, go here and download AVG Free. Install and update. Restart in safe mode. Run full scan.
Just noticed you listed "snfmx.exe" and "yvontfxw.exe". Search for those two also. If found, delete. If you had/have to show hidden folders, be sure hide them after.
Well Niobis I deleted all the files I was concerned about and today I did a virus check with Zone alarm, AVG and Ewido I also ran Ad-aware and Spybot search & destroy and all came back clear so I would like to thank you for your help. THANKS
